News Archives

Wednesday, March 30, 2016

Dutch DPA Bars Employer Access to Fitness Tracker Data

On March 8, the Personal Data Authority of the Netherlands (formerly the College Bescherming Persoonsgegevens, or CBP) issued a decision prohibiting two unnamed employers from monitoring their employees’ activity via fitness trackers, even after obtaining their consent. The Authority found that data on movement and sleep patterns constituted sensitive personal information which could only be processed with the valid consent of the individual. However, given that employees are financially dependent upon their employers, and that consent therefore cannot be freely given in the employment context under European data protection law, employers processing such fitness tracking data are violating the country’s data protection legislation. The Authority made it clear that it had no objection to companies giving fitness trackers to employees, as long as the employees are in control of the data they generate.

To my knowledge, there have been no legal cases brought forth to date in the U.S. over the collection of fitness tracker data by employers, although it would not be at all surprising if they arise, given the momentum behind employee wellness programs and the embrace of self-quantification devices by individuals. The outcome of such cases would likely turn upon which state the case was developed in, since some states, such as California, are more sympathetic to arguments that consents, whether in the consumer or employment context, can be invalid if there is a profound imbalance in bargaining power between the parties involved.On an interesting side note in the Dutch case, local media identified one of the companies as BeBright, a consultancy that had handed out the bracelets to its staff. When asked about the decision, the company said it wasn’t going to quibble with the judgment, since it is the Authority’s role to “investigate where the line is.” Contrast this stance with the common position of U.S. tech giants, such as Google, who all too frequently respond to enforcement actions initiated by DPAs by contending that they are in full compliance with national data protection legislation and look forward to the opportunity to prove this in court. Granted that the enforcement actions they face have more far-reaching consequences for their business models and profits, such arguments are so specious as to be little more than testimonies to their ability to exploit the current weaknesses in the enforcement powers of European DPAs. We will have to see if they continue to be advanced when the sanctioning powers of the DPAs are dramatically strengthened under the General Data Protection Regulation.